Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

still hijacked after using ad-aware, spybot, HJT

Started by Innana , Jun 22 2005 12:45 PM

  • Please log in to reply

#1
Innana
Posted 22 June 2005 - 12:45 PM

Innana

    New Member

  • Member
  • Pip
  • 6 posts
Hello,

I'm having serious issues trying to get 'un-hijacked'. PC is W2K with IE 6.01. I've tried using the suggestions listed in this thread -

http://www.geekstogo...opic=34137&st=0

I realize that PC was running XP, but figured I'd give the instructions a shot to see if that would work.

Any additional ideas/help would be VERY helpful!

Thanks so much!
Innana
  • 0

Advertisements

#2
tj416
Posted 26 June 2005 - 07:53 PM

tj416

    Visiting Staff

  • Member
  • PipPipPip
  • 323 posts
Hi Innana,


Download HijackThis and post a logfile:
  • Download HijackThis.
  • Create a folder named "HijackThis". To create a folder:
    • Go to My Documents.
    • Right-click and select New> Folder.
    • Name the folder as "HijackThis".
  • Extract the contents of hijackthis.zip into the folder you've just created.
  • Open HijackThis.exe
  • Click on "Do a system scan and save a logfile".
  • After the scan is complete a Notepad window will popup.
  • In the Notepad window, go to Edit> Select all and then Edit> Copy.
  • Paste the log into your next reply.
Do NOT fix anything until we check your log. You can cause serious damage to your operating system if you fix a valid entry.
  • 0

#3
Innana
Posted 27 June 2005 - 11:22 AM

Innana

    New Member

  • Topic Starter
  • Member
  • Pip
  • 6 posts
Here you go...

Thanks much!

Logfile of HijackThis v1.99.1
Scan saved at 1:13:34 PM, on 6/27/2005
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\csrss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Intel\ASF Agent\ASFAgent.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\Dell\OpenManage\Client\Iap.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINNT\System32\NMSSvc.exe
C:\OfficeScan NT\ntrtscan.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\System32\locator.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\system32\SLClient.exe
C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
C:\OfficeScan NT\tmlisten.exe
C:\Program Files\VERITAS\Backup Exec\NT\DLO\DLOChangeLogSvcu.exe
C:\WINNT\system32\mspmspsv.exe
C:\WINNT\system32\svchost.exe
C:\OfficeScan NT\ofcdog.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\Explorer.EXE
C:\WINNT\System32\hkcmd.exe
C:\OfficeScan NT\pccntmon.exe
C:\Program Files\Hewlett-Packard\Toolbox2.0\Apache Tomcat 4.0\webapps\Toolbox\StatusClient\StatusClient.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINNT\system32\ctfmon.exe
C:\Program Files\Research In Motion\BlackBerry\DesktopMgr.exe
C:\Program Files\Hewlett-Packard\Toolbox2.0\Javasoft\JRE\1.3.1\bin\javaw.exe
C:\Program Files\Common Files\Research In Motion\RIMDeviceManager\RIMDeviceManager.exe
C:\Program Files\Common Files\Research In Motion\USB Drivers\BbDevMgr.exe
C:\Documents and Settings\llanni\Desktop\hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://intranet.pachamber.org/
O2 - BHO: FlashEnhancer Ext - {5EDB03AF-0341-4e96-9E9B-3171522E4BAF} - c:\Program Files\Fla\fla.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [IgfxTray] C:\WINNT\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINNT\System32\hkcmd.exe
O4 - HKLM\..\Run: [OfficeScanNT Monitor] "C:\OfficeScan NT\pccntmon.exe" -HideWindow
O4 - HKLM\..\Run: [StatusClient] C:\Program Files\Hewlett-Packard\Toolbox2.0\Apache Tomcat 4.0\webapps\Toolbox\StatusClient\StatusClient.exe /auto
O4 - HKLM\..\Run: [TomcatStartup] C:\Program Files\Hewlett-Packard\Toolbox2.0\hpbpsttp.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [tvs_b] C:\program files\tvs\tvs_b.exe
O4 - HKLM\..\Run: [FlaCPY] "C:\Program Files\Common Files\Java\flacpy.exe"
O4 - HKLM\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /startintray
O4 - HKCU\..\Run: [ctfmon.exe] ctfmon.exe
O4 - Global Startup: CounterSpy Agent.lnk = C:\Program Files\Sunbelt Software\CounterSpy\Agent\CounterSpyAgentIcon.exe
O4 - Global Startup: CounterSpy Service.lnk = C:\Program Files\Sunbelt Software\CounterSpy\Agent\CounterSpyAgent.exe
O4 - Global Startup: Desktop Manager.lnk = C:\Program Files\Research In Motion\BlackBerry\DesktopMgr.exe
O4 - Global Startup: DLO Agent.lnk = C:\Program Files\VERITAS\Backup Exec\NT\DLO\DLOClientu.exe
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O15 - Trusted Zone: http://insight.pachamber.com (HKLM)
O15 - Trusted Zone: http://insight.pachamber.org (HKLM)
O15 - Trusted Zone: http://intranet.pachamber.org (HKLM)
O15 - Trusted Zone: http://timesheets.pachamber.org (HKLM)
O16 - DPF: {00134F72-5284-44F7-95A8-52A619F70751} (ObjWinNTCheck Class) - http://owa.pachamber...ll/WinNTChk.cab
O16 - DPF: {08D75BB0-D2B5-11D1-88FC-0080C859833B} (OfficeScan Corp Edition Web-Deployment SetupIniCtrl Class) - http://owa.pachamber...ll/setupini.cab
O16 - DPF: {08D75BC1-D2B5-11D1-88FC-0080C859833B} (OfficeScan Corp Edition Web-Deployment SetupCtrl Class) - http://owa.pachamber...stall/setup.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akama...meInstaller.exe
O16 - DPF: {5EFE8CB1-D095-11D1-88FC-0080C859833B} (OfficeScan Corp Edition Web-Deployment ObjRemoveCtrl Class) - http://owa.pachamber.../RemoveCtrl.cab
O16 - DPF: {819EDD4C-7EB6-4D97-B831-D68B57E7D3ED} (Wyncs Control) - http://www.highschoo...s.net/Wyncs.cab
O16 - DPF: {EE2589EB-7FC8-44DB-A892-573F2C4B41E0} - http://pdf.forbes.co...oaderSigned.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{46C5F3F4-1FCB-447E-B34C-91FEBE7F0327}: NameServer = 10.1.0.13,10.1.0.126
O17 - HKLM\System\CS1\Services\Tcpip\..\{46C5F3F4-1FCB-447E-B34C-91FEBE7F0327}: NameServer = 10.1.0.13,10.1.0.126
O17 - HKLM\System\CS2\Services\Tcpip\..\{46C5F3F4-1FCB-447E-B34C-91FEBE7F0327}: NameServer = 10.1.0.13,10.1.0.126
O20 - Winlogon Notify: igfxcui - C:\WINNT\SYSTEM32\igfxsrvc.dll
O23 - Service: ASF Agent (ASFAgent) - Intel Corporation - C:\Program Files\Intel\ASF Agent\ASFAgent.exe
O23 - Service: CounterSpyAgent - Sunbelt Software - C:\Program Files\Sunbelt Software\CounterSpy\Agent\CounterSpyAgent.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: Iap - Dell Computer Corporation - C:\Program Files\Dell\OpenManage\Client\Iap.exe
O23 - Service: Intel® NMS (NMSSvc) - Intel Corporation - C:\WINNT\System32\NMSSvc.exe
O23 - Service: OfficeScanNT RealTime Scan (ntrtscan) - Trend Micro Inc. - C:\OfficeScan NT\ntrtscan.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINNT\system32\HPZipm12.exe
O23 - Service: ScriptLogic service (SLClient) - ScriptLogic Corporation - C:\WINNT\SYSTEM32\SLClient.exe
O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
O23 - Service: OfficeScanNT Listener (tmlisten) - Unknown owner - C:\OfficeScan NT\tmlisten.exe
O23 - Service: VERITAS Backup Exec DLO Agent Change Journal Reader (VRTSChangeJournalReader) - VERITAS Software Corporation - C:\Program Files\VERITAS\Backup Exec\NT\DLO\DLOChangeLogSvcu.exe
  • 0

#4
tj416
Posted 27 June 2005 - 10:04 PM

tj416

    Visiting Staff

  • Member
  • PipPipPip
  • 323 posts
Hi Innana,

Disable SpySweeper because it may interfere during the fix:
  • Open it click >Options over to the left then >program options >Uncheck "load at windows startup".
  • Over to the left click "shields" and uncheck all there.
  • Uncheck "home page shield".
  • Uncheck 'automaticly restore default without notification".
  • Reboot your PC.
Then, go to Add/Remove Programs and uninstall (if present):
Fla
tvs

Then, open HijackThis, run a scan and check these items:
O2 - BHO: FlashEnhancer Ext - {5EDB03AF-0341-4e96-9E9B-3171522E4BAF} - c:\Program Files\Fla\fla.dll

O4 - HKLM\..\Run: [tvs_b] C:\program files\tvs\tvs_b.exe
O4 - HKLM\..\Run: [FlaCPY] "C:\Program Files\Common Files\Java\flacpy.exe"

O16 - DPF: {EE2589EB-7FC8-44DB-A892-573F2C4B41E0} - http://pdf.forbes.co...oaderSigned.cab

If you didn't put the following websites in your Trusted zone, check these items. Remember you only put websites in your Trusted zone only if you are sure that they don't add malware to your PC. Adding the wrong websites to your Trusted zone will infeect your computer and open it up for more attacks.
O15 - Trusted Zone: http://insight.pachamber.com (HKLM)
O15 - Trusted Zone: http://insight.pachamber.org (HKLM)
O15 - Trusted Zone: http://intranet.pachamber.org (HKLM)
O15 - Trusted Zone: http://timesheets.pachamber.org (HKLM)

Now please close all windows and browsers, except HijackThis, and have HijackThis fix them by clicking on Fix Checked.

Then,reboot in Safe mode. To reboot in Safe mode:
Restart your computer and immediately begin tapping the F8 key on your keyboard. If done right a Windows Advanced Options menu will appear. Select the Safe Mode option and press Enter.

You will need to configure Windows 2000 to show all files and folders.
1. Open My Computer.
2.Select the Tools menu and click Folder Options.
3. Select the View Tab.
4.Under the Hidden files and folders heading select Show hidden files and folders.
5.Uncheck the Hide protected operating system files (recommended) option.
6.Click Yes to confirm.
7.Click OK.

Then, delete these folders:
C:\program files\tvs
c:\Program Files\Fla

Then, delete these files:
C:\Program Files\Common Files\Java\flacpy.exe

Then, delete Temp Files. To delete temp files:
Click on Start and then run, and type %temp% and press the ok button.

This should open up the temp directory that your machine uses. Please delete all files that are found there.

Do this same process for %windir%\temp.

Then, delete Temporary Internet Files. To delete Temporary Internet Files:
Open up Internet Explorer, and click on the Tools menu and then Internet Options. At the General tab, which should be the first tab you are currently on, click on the Delete Files button and put a checkmark in Delete offline content. Then press the OK button. This may take quite a while, so do not be alarmed with how long it takes. When it is done, your Temporary Internet Files will now be deleted.

Then, reboot.

Then, submit the following file to this website and tell me what it says about it:
C:\WINNT\system32\ctfmon.exe

Then, and post a new log in this thread and the results from the scan from Jotti.
  • 0

#5
Innana
Posted 28 June 2005 - 01:51 PM

Innana

    New Member

  • Topic Starter
  • Member
  • Pip
  • 6 posts
Here's what Jotti gave me -

File:
CTFMON.EXE

Status:
OK (Note: this file has been scanned before. Therefore, this file's scan results will not be stored in the database)

MD5
d36a33c21eeed5a6c1daecb7c80a1909

Packers detected:
-

Scanner results

AntiVir - Found nothing

ArcaVir - Found nothing

Avast - Found nothing

AVG Antivirus - Found nothing

BitDefender - Found nothing

ClamAV - Found nothing

Dr.Web - Found nothing

F-Prot Antivirus - Found nothing

Fortinet - Found nothing

Kaspersky Anti-Virus - Found nothing

NOD32 - Found nothing

Norman Virus Control - Found nothing

VBA32 - Found nothing


Thanks!
  • 0

#6
tj416
Posted 28 June 2005 - 10:42 PM

tj416

    Visiting Staff

  • Member
  • PipPipPip
  • 323 posts
Hi Innana,

Please post a fresh HijackThis log.
  • 0

#7
Innana
Posted 29 June 2005 - 06:25 AM

Innana

    New Member

  • Topic Starter
  • Member
  • Pip
  • 6 posts
Here you go...

Logfile of HijackThis v1.99.1
Scan saved at 8:22:39 AM, on 6/29/2005
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Intel\ASF Agent\ASFAgent.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\Dell\OpenManage\Client\Iap.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINNT\System32\NMSSvc.exe
C:\OfficeScan NT\ntrtscan.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\System32\locator.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\system32\SLClient.exe
C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
C:\OfficeScan NT\tmlisten.exe
C:\Program Files\VERITAS\Backup Exec\NT\DLO\DLOChangeLogSvcu.exe
C:\WINNT\system32\mspmspsv.exe
C:\WINNT\system32\svchost.exe
C:\OfficeScan NT\ofcdog.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\Explorer.EXE
C:\WINNT\System32\hkcmd.exe
C:\OfficeScan NT\pccntmon.exe
C:\Program Files\Hewlett-Packard\Toolbox2.0\Apache Tomcat 4.0\webapps\Toolbox\StatusClient\StatusClient.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINNT\system32\ctfmon.exe
C:\Program Files\Hewlett-Packard\Toolbox2.0\Javasoft\JRE\1.3.1\bin\javaw.exe
C:\Documents and Settings\llanni\Desktop\hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://intranet.pachamber.org/
O2 - BHO: (no name) - {0AD937E7-2F37-4873-A05E-548A67EF1D0E} - (no file)
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [IgfxTray] C:\WINNT\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINNT\System32\hkcmd.exe
O4 - HKLM\..\Run: [OfficeScanNT Monitor] "C:\OfficeScan NT\pccntmon.exe" -HideWindow
O4 - HKLM\..\Run: [StatusClient] C:\Program Files\Hewlett-Packard\Toolbox2.0\Apache Tomcat 4.0\webapps\Toolbox\StatusClient\StatusClient.exe /auto
O4 - HKLM\..\Run: [TomcatStartup] C:\Program Files\Hewlett-Packard\Toolbox2.0\hpbpsttp.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKCU\..\Run: [ctfmon.exe] ctfmon.exe
O4 - Global Startup: CounterSpy Agent.lnk = C:\Program Files\Sunbelt Software\CounterSpy\Agent\CounterSpyAgentIcon.exe
O4 - Global Startup: CounterSpy Service.lnk = C:\Program Files\Sunbelt Software\CounterSpy\Agent\CounterSpyAgent.exe
O4 - Global Startup: Desktop Manager.lnk = C:\Program Files\Research In Motion\BlackBerry\DesktopMgr.exe
O4 - Global Startup: DLO Agent.lnk = C:\Program Files\VERITAS\Backup Exec\NT\DLO\DLOClientu.exe
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O15 - Trusted Zone: http://insight.pachamber.com (HKLM)
O15 - Trusted Zone: http://insight.pachamber.org (HKLM)
O15 - Trusted Zone: http://timesheets.pachamber.org (HKLM)
O16 - DPF: {00134F72-5284-44F7-95A8-52A619F70751} (ObjWinNTCheck Class) - http://owa.pachamber...ll/WinNTChk.cab
O16 - DPF: {08D75BB0-D2B5-11D1-88FC-0080C859833B} (OfficeScan Corp Edition Web-Deployment SetupIniCtrl Class) - http://owa.pachamber...ll/setupini.cab
O16 - DPF: {08D75BC1-D2B5-11D1-88FC-0080C859833B} (OfficeScan Corp Edition Web-Deployment SetupCtrl Class) - http://owa.pachamber...stall/setup.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akama...meInstaller.exe
O16 - DPF: {5EFE8CB1-D095-11D1-88FC-0080C859833B} (OfficeScan Corp Edition Web-Deployment ObjRemoveCtrl Class) - http://owa.pachamber.../RemoveCtrl.cab
O16 - DPF: {819EDD4C-7EB6-4D97-B831-D68B57E7D3ED} (Wyncs Control) - http://www.highschoo...s.net/Wyncs.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{46C5F3F4-1FCB-447E-B34C-91FEBE7F0327}: NameServer = 10.1.0.13,10.1.0.126
O17 - HKLM\System\CS1\Services\Tcpip\..\{46C5F3F4-1FCB-447E-B34C-91FEBE7F0327}: NameServer = 10.1.0.13,10.1.0.126
O17 - HKLM\System\CS2\Services\Tcpip\..\{46C5F3F4-1FCB-447E-B34C-91FEBE7F0327}: NameServer = 10.1.0.13,10.1.0.126
O20 - Winlogon Notify: igfxcui - C:\WINNT\SYSTEM32\igfxsrvc.dll
O23 - Service: ASF Agent (ASFAgent) - Intel Corporation - C:\Program Files\Intel\ASF Agent\ASFAgent.exe
O23 - Service: CounterSpyAgent - Sunbelt Software - C:\Program Files\Sunbelt Software\CounterSpy\Agent\CounterSpyAgent.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: Iap - Dell Computer Corporation - C:\Program Files\Dell\OpenManage\Client\Iap.exe
O23 - Service: Intel® NMS (NMSSvc) - Intel Corporation - C:\WINNT\System32\NMSSvc.exe
O23 - Service: OfficeScanNT RealTime Scan (ntrtscan) - Trend Micro Inc. - C:\OfficeScan NT\ntrtscan.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINNT\system32\HPZipm12.exe
O23 - Service: ScriptLogic service (SLClient) - ScriptLogic Corporation - C:\WINNT\SYSTEM32\SLClient.exe
O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
O23 - Service: OfficeScanNT Listener (tmlisten) - Unknown owner - C:\OfficeScan NT\tmlisten.exe
O23 - Service: VERITAS Backup Exec DLO Agent Change Journal Reader (VRTSChangeJournalReader) - VERITAS Software Corporation - C:\Program Files\VERITAS\Backup Exec\NT\DLO\DLOChangeLogSvcu.exe
  • 0

#8
tj416
Posted 29 June 2005 - 11:07 PM

tj416

    Visiting Staff

  • Member
  • PipPipPip
  • 323 posts
Hi Innana,

Open HijackThis, run a scan and check these items:
O2 - BHO: (no name) - {0AD937E7-2F37-4873-A05E-548A67EF1D0E} - (no file)

Now please close all windows and browsers, except HijackThis, and have HijackThis fix them by clicking on Fix Checked.

Then, reboot (in the normal mode) and post a new log in this thread.
  • 0

#9
Innana
Posted 30 June 2005 - 12:06 PM

Innana

    New Member

  • Topic Starter
  • Member
  • Pip
  • 6 posts
Here's the one from this morning...

Thanks so much for all your help!

Logfile of HijackThis v1.99.1
Scan saved at 11:57:12 AM, on 6/30/2005
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Intel\ASF Agent\ASFAgent.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\Dell\OpenManage\Client\Iap.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINNT\System32\NMSSvc.exe
C:\OfficeScan NT\ntrtscan.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\System32\locator.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\system32\SLClient.exe
C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
C:\OfficeScan NT\tmlisten.exe
C:\Program Files\VERITAS\Backup Exec\NT\DLO\DLOChangeLogSvcu.exe
C:\WINNT\system32\mspmspsv.exe
C:\WINNT\system32\svchost.exe
C:\OfficeScan NT\ofcdog.exe
C:\WINNT\Explorer.EXE
C:\WINNT\System32\hkcmd.exe
C:\OfficeScan NT\pccntmon.exe
C:\Program Files\Hewlett-Packard\Toolbox2.0\Apache Tomcat 4.0\webapps\Toolbox\StatusClient\StatusClient.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINNT\system32\ctfmon.exe
C:\Program Files\Hewlett-Packard\Toolbox2.0\Javasoft\JRE\1.3.1\bin\javaw.exe
C:\Program Files\VERITAS\Backup Exec\NT\DLO\DLOClientu.exe
C:\Program Files\Common Files\Research In Motion\RIMDeviceManager\RIMDeviceManager.exe
C:\Program Files\Common Files\Research In Motion\USB Drivers\BbDevMgr.exe
C:\Documents and Settings\llanni\Desktop\hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://intranet.pachamber.org/
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [IgfxTray] C:\WINNT\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINNT\System32\hkcmd.exe
O4 - HKLM\..\Run: [OfficeScanNT Monitor] "C:\OfficeScan NT\pccntmon.exe" -HideWindow
O4 - HKLM\..\Run: [StatusClient] C:\Program Files\Hewlett-Packard\Toolbox2.0\Apache Tomcat 4.0\webapps\Toolbox\StatusClient\StatusClient.exe /auto
O4 - HKLM\..\Run: [TomcatStartup] C:\Program Files\Hewlett-Packard\Toolbox2.0\hpbpsttp.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKCU\..\Run: [ctfmon.exe] ctfmon.exe
O4 - Global Startup: CounterSpy Agent.lnk = C:\Program Files\Sunbelt Software\CounterSpy\Agent\CounterSpyAgentIcon.exe
O4 - Global Startup: CounterSpy Service.lnk = C:\Program Files\Sunbelt Software\CounterSpy\Agent\CounterSpyAgent.exe
O4 - Global Startup: Desktop Manager.lnk = C:\Program Files\Research In Motion\BlackBerry\DesktopMgr.exe
O4 - Global Startup: DLO Agent.lnk = C:\Program Files\VERITAS\Backup Exec\NT\DLO\DLOClientu.exe
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O15 - Trusted Zone: http://insight.pachamber.com (HKLM)
O15 - Trusted Zone: http://insight.pachamber.org (HKLM)
O15 - Trusted Zone: http://timesheets.pachamber.org (HKLM)
O16 - DPF: {00134F72-5284-44F7-95A8-52A619F70751} (ObjWinNTCheck Class) - http://owa.pachamber...ll/WinNTChk.cab
O16 - DPF: {08D75BB0-D2B5-11D1-88FC-0080C859833B} (OfficeScan Corp Edition Web-Deployment SetupIniCtrl Class) - http://owa.pachamber...ll/setupini.cab
O16 - DPF: {08D75BC1-D2B5-11D1-88FC-0080C859833B} (OfficeScan Corp Edition Web-Deployment SetupCtrl Class) - http://owa.pachamber...stall/setup.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akama...meInstaller.exe
O16 - DPF: {5EFE8CB1-D095-11D1-88FC-0080C859833B} (OfficeScan Corp Edition Web-Deployment ObjRemoveCtrl Class) - http://owa.pachamber.../RemoveCtrl.cab
O16 - DPF: {819EDD4C-7EB6-4D97-B831-D68B57E7D3ED} (Wyncs Control) - http://www.highschoo...s.net/Wyncs.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{46C5F3F4-1FCB-447E-B34C-91FEBE7F0327}: NameServer = 10.1.0.13,10.1.0.126
O17 - HKLM\System\CS1\Services\Tcpip\..\{46C5F3F4-1FCB-447E-B34C-91FEBE7F0327}: NameServer = 10.1.0.13,10.1.0.126
O17 - HKLM\System\CS2\Services\Tcpip\..\{46C5F3F4-1FCB-447E-B34C-91FEBE7F0327}: NameServer = 10.1.0.13,10.1.0.126
O20 - Winlogon Notify: igfxcui - C:\WINNT\SYSTEM32\igfxsrvc.dll
O23 - Service: ASF Agent (ASFAgent) - Intel Corporation - C:\Program Files\Intel\ASF Agent\ASFAgent.exe
O23 - Service: CounterSpyAgent - Sunbelt Software - C:\Program Files\Sunbelt Software\CounterSpy\Agent\CounterSpyAgent.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: Iap - Dell Computer Corporation - C:\Program Files\Dell\OpenManage\Client\Iap.exe
O23 - Service: Intel® NMS (NMSSvc) - Intel Corporation - C:\WINNT\System32\NMSSvc.exe
O23 - Service: OfficeScanNT RealTime Scan (ntrtscan) - Trend Micro Inc. - C:\OfficeScan NT\ntrtscan.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINNT\system32\HPZipm12.exe
O23 - Service: ScriptLogic service (SLClient) - ScriptLogic Corporation - C:\WINNT\SYSTEM32\SLClient.exe
O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
O23 - Service: OfficeScanNT Listener (tmlisten) - Unknown owner - C:\OfficeScan NT\tmlisten.exe
O23 - Service: VERITAS Backup Exec DLO Agent Change Journal Reader (VRTSChangeJournalReader) - VERITAS Software Corporation - C:\Program Files\VERITAS\Backup Exec\NT\DLO\DLOChangeLogSvcu.exe
  • 0

#10
tj416
Posted 30 June 2005 - 11:47 PM

tj416

    Visiting Staff

  • Member
  • PipPipPip
  • 323 posts
Hi Innana,

Your log looks clean. How is everything running?
  • 0

#11
Innana
Posted 06 July 2005 - 06:18 AM

Innana

    New Member

  • Topic Starter
  • Member
  • Pip
  • 6 posts
Everything is looking great! No more evil random pop-ups!

Thanks so very much for your help!
  • 0

#12
tj416
Posted 09 July 2005 - 02:38 AM

tj416

    Visiting Staff

  • Member
  • PipPipPip
  • 323 posts
Hi Innana,

Don't forget to re-hide all files and folders. To re-hide all files and folders:
  • Open My Computer.
  • Select the Tools menu and click Folder Options.
  • Select the View Tab.
  • Under the Hidden files and folders heading deselect "Show hidden files and folders".
  • Check the Hide protected operating system files (recommended) option.
  • Click Yes to confirm.
  • Click OK.
To prevent re-infection in the future:
  • I suggest you download Spyware Blaster to prevent the installation of Spyware in the first place.
  • IE-Spyad puts over 5000 sites in your restricted zone so you'll be protected when you visit innocent-looking sites that aren't actually innocent at all and I suggest you download it.
  • Another excellent program I recommend is SpywareGuard. It provides a degree of real-time protection solution against spyware that is a great addition to SpywareBlaster's protection method.
  • I recommend that you read a thead titled So how do I get infected in the first place? by Tony Klein which informs you on how to tighten the security of your PC.
Take care,
TJ
  • 0
Back to Virus, Spyware, Malware Removal · Next Unread Topic →




Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

  1. Geeks to Go Forum
  2. Security
  3. Virus, Spyware, Malware Removal

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP